CRIM 3460 Introduction to Critical Infrastructure Protection Spring 2015

Chapter 7 – Cyber Threats

School of Criminology and Justice Studies University of Massachusetts Lowell

Tim Wu of Colombia University coined the term in 2003

It is the principle that all data on the internet be treated equally, not discriminating or charging differentially

FCC net neutrality rules Designed to make sure ISPs treat all legal content equally

The internet is too important to let the broadband companies make the rules

Essentially classifies the internet as a utility

Bill in Congress that would roll back the FCC rules The rules shall have no force or effect

FCC may not reissue or issue a new rule until after the enactment of this Act.

Highly unregulated industry Self-organizing system

Lacks regulatory controls on its use

Scale-free as it has major hubs Telecom Hotels are the #1 Risk

Tier-1 ISPs may be the #2 Risk

Extremely vulnerable to global threats Originally designed for robustness, but not security

Forming basis of 21st Century economy High penalty for doing it wrong!

Flaws in TCP/IP Viruses and worms travel via vectors

Software flaws are the first and foremost vectors

Most prominent vector; shows how TCP/IP can be exploited

Open ports Access doors to computer, let data in and out, even worms

Others (most popular exploits) Buffer overflow (operating systems can be exploited)

Email and email attachments

Miscellaneous flaws in software

SYN Flooding is a form of DOS

Attacker sends a series of SYN requests to a target system; tries to consume server space; make system unresponsive

Normally a SYN is paired with an ACK on System B, but if it never comes, the system crashes

Figure 7.1a in Text

Normal connection between a user and a server; three-way handshake is correctly performed.

Attacker sends packets minus sending ACK back to the server. Connections half-opened and consume server resources. Legitimate user tries to connect, but server refuses.

Source: Wikipedia

DOS on the White House website on 10/21/02

Via Code Red worm/virus and works as follows:

o Worm enters the target computer through its port 80

o Infects the MS internet Information server software

o Randomly copies itself onto other targets for 20 days

o Dormant until a certain date, when copies are activated

o Millions of distributed copies flood White House server

White House changed Server DNS address redirecting www.whitehouse.gov to another server

Exploit bypasses computer access control Fools the OS into thinking an incoming virus is data

If the buffer area is overflowed and accidentally changes the return address, it can take control of the computer

Control passes to the virus, instead of the user or OS

Trial and error to get the correct buffer size; many attempts

Figure 7.2a in Text

Virus has guessed the right size of the buffer

Tricks OS into passing control to the virus, instead of the authorized user

Exploiter discovers how to penetrate OS protection

Virus is free to do whatever it wants

Figure 7.2b in Text

The exploiter pre-loads unsuspecting zombies prior to a massive DDOS

Phase I: Spread the worm via ports

Figure 7.3a in Text

At a preset time, the zombies launch multiple DOS attacks against a target.

Phase II: Attack the target via its ports

Figure 7.3b in Text

Figure 7.3b in Text

Figure 7.3b in Text

Code Red in July 2001

Clear source and destination addresses lead to: 200K infected North American computers

400-700K computers worldwide

Interdependent with banking Stalled largest ATM network

Total cost is unknown

Who were the perpetrators? Unknown

February 2000 strikes on most popular (hubs) of WWW: Amazon.com Inc. Buy.com Inc. CNN.com eBay Inc. E-Trade.com Yahoo Inc. ZDNet

Canadian teenager created an army of zombie computers to flood the web servers forcing them to shut down for hours

Estimated $1.7B in lost revenues Fined $250 and 8-months in jail.

Robert Tappan Morris First virus 1988; fined $10,000, 3yrs probation Founded and sold ViaWeb to Yahoo in 1995 for $48M MIT Professor today

Jonathan James First hacker to serve prison time (6-months) for hacking Hacked into NASA and DOD computers Claimed NASA software was crappy

Adrian Lamo – aka the homeless hacker Broke into banks, newspapers and MS from coffee shops Works for a security company in California; exposed WikiLeaks violation

Kevin Mitnik Served 5 years, 8 months in jail Subject of two movies and several TV programs; wrote 2 best-sellers.

Stuxnet is a computer worm designed to attack industrial programmable logic controllers

July – October 2010: Appears to target a particular power control system (i.e. Iran’s nuclear

facility) Transferred from a thumb drive to a Windows computer (infected

45,000 computers) Level of sophistication suggests it is made by a government

(Speculation: source is US or Israeli or both) No widespread damage so far (Speculation: Targeted Iran’s centrifuges)

SCADA attacks impact on critical infrastructure?

U.S. Military: President Bush; first U.S. President to approve of the use of

offensive cyber exploits in Iraq as part of 2007 surge Gen Petraeus to Congress; “This war is not only being

fought on the ground in Iraq but also in cyberspace”

Russia-Georgia conflict of 2008 Russian intervention in South Ossetia was augmented by

DOS attacks on Georgian telecom Unknown as to Russian military or “black hats”

Botnets and Botherders Botnet: invisible network of viruses overlaid on the net Botnets are under control of a botherder (remote control) Target and purpose not known Mostly spam servers

Rustock Flyman runs Russian Business Network in St. Petersberg Botherds 1.6 – 2.4M zombies

Zeus Largest known botnet in USA: 3.6M zombies [2009].

Typical fault tree of threat-asset pairs

Figure 7.4 in Text

Values used to analyze the general fault tree

Table 7.1 in Text

Typical ROI analysis of fault tree of threat-asset pairs

Figure 7.5 in Text

Probability of infection vs. recent threats/exploits Risk = EP x C EP = Infectiousness C = Consequence

Black Swan; what if the entire Internet fails?

Source: U.S. Department of Commerce. Table 8. Value of Physical Capital Destroyed by Natural Disasters. Cashell, Jackson, Jickling, and Webel, The Economic Impact of Cyber-Attacks, April 1, 2004

Simple Counter-Measures are Effective Anti-viral/anti-spyware software Intrusion detection systems Firewalls VPN Encryption

Source:14th Annual CSI Computer Crime and Security Survey, December 2009

Einstein Project* Monitor and report internet activity via Internet Control

Message Protocol (ICMP) PASSIVE Intrusion detection by collecting network traffic flow data in

real time and analyzing content looking for malicious codes (i.e. e-mail attachments) INTRUSIVE

Countermeasures by shooting down an attack before it hits its target; potentially an invasion of privacy OFFENSIVE

*E-Government Act of 2002 (created a classified program designed to protect government IT systems)

A Simple Anti-Viral Counter-Measure Fight fire with fire; launch anti-virus that destroys viruses o Dabber (2004) is believed to be the first worm that spread

by targeting a flaw in another worm's code - Sasser. o Dabber-like “anti-viruses” might be used to destroy other

viruses and provide a low-cost countermeasure

Issues: Legality Liability

Wider adoption of existing technology Ipv.6, HTTPS, VPNs Strong firewalls (on desktop/laptops) What about tablets

and iPads? Broader use of PKI/Certificates

Counter-measures Anti-virus virus A safer Dabber? Regulation Penalties

Cyber Risk: Reality or Hype? Risk = Threat x Vulnerability x Consequence or

Risk = EP x Consequence

Counter Hype: Nobody has died from a cyber attack Consequences may be inflated Risk appears to be decreasing

Reality: “Cyber Pearl Harbor” hasn’t happened yet, but it could Dependency on computers still growing Attacks getting smarter, but… Consequence trend is downward

Regulation 1996 Telecom Act changes o Harden or reduce size of telecom hotels (hubs) o Incentives for security (higher security standards)

Copy water sector policies “Large” ISPs (>3300) subject to: o Temporal passwords o Require SSL/HTTPS or even VPNs on all transactions o PII loss fines

Privacy and Civil Liberties Wiretapping concerns Abuses